Authentication
The Flow API uses API keys to authenticate requests. You can view and manage your API keys in the Developer Portal or via the API.
Getting Your API Key
- Log in to your Flow account
- Navigate to Settings → Developer
- Click "Create API Key"
- Give your key a name (e.g., "Production", "CI/CD")
- Copy your API key immediately - it's shown only once!
Your API key format: flow_sk_live_<prefix>_<secret>
Using Your API Key
Include your API key in the Authorization header of every request:
curl https://api.flowsocial.app/v1/posts \
-H "Authorization: Bearer flow_sk_live_abc12345_xyz789..."
Security Best Practices
- Never commit API keys to version control - use environment variables
- Rotate keys regularly - delete old keys and create new ones
- Use different keys for different environments - separate keys for production, staging, and development
- Restrict key access - only share keys with trusted team members
- Monitor key usage - check the "Last Used" timestamp in the Developer Portal
Key Permissions
Currently, all API keys have full access to your account. Scoped permissions (e.g., read-only keys) are coming soon.
Rate Limits
Each API key has a rate limit of 100 requests per minute. Rate limit headers are included in every response:
X-RateLimit-Limit: Maximum requests per window (100)X-RateLimit-Remaining: Remaining requests in current windowX-RateLimit-Reset: Unix timestamp when the rate limit resets
If you exceed the rate limit, you'll receive a 429 Too Many Requests response:
{
"error": "Rate limit exceeded",
"message": "You have exceeded the rate limit of 100 requests per minute.",
"retry_after": 45
}
Wait for the retry_after seconds before making more requests.
Error Responses
401 Unauthorized
{
"error": "Unauthorized"
}
This means:
- Your API key is missing
- Your API key is invalid
- Your API key has been revoked
403 Forbidden
{
"error": "Forbidden"
}
This means your API key doesn't have permission to perform this action (currently all keys have full access, but this may change in the future).